Responsive
secuRity
Be Ready to Be Secure

Meng-Chow Kang


Responsive
secuRity
Be Ready to Be Secure



Responsive
secuRity
Be Ready to Be Secure

Meng-Chow Kang

Boca Raton London New York

CRC Press is an imprint of the
Taylor & Francis Group, an informa business


CRC Press
Taylor & Francis Group
6000 Broken Sound Parkway NW, Suite 300
Boca Raton, FL 33487-2742
© 2014 by Taylor & Francis Group, LLC
CRC Press is an imprint of Taylor & Francis Group, an Informa business

No claim to original U.S. Government works
Version Date: 20130812
International Standard Book Number-13: 978-1-4665-8431-0 (eBook - PDF)
This book contains information obtained from authentic and highly regarded sources. Reasonable efforts
have been made to publish reliable data and information, but the author and publisher cannot assume
responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to
copyright holders if permission to publish in this form has not been obtained. If any copyright material has
not been acknowledged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented,
including photocopying, microfilming, and recording, or in any information storage or retrieval system,
without written permission from the publishers.
For permission to photocopy or use material electronically from this work, please access www.copyright.
com ( or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood
Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and
registration for a variety of users. For organizations that have been granted a photocopy license by the CCC,
a separate system of payment has been arranged.
Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.
Visit the Taylor & Francis Web site at

and the CRC Press Web site at



Contents

List of Figures
ix
List of Tables

xi
List of Abbreviations
xiii
Prefacexvii
Acknowledgmentsxix
Authorxxi

1

Introduction1
1.1

Background and Motivations
1
1.1.1 Business, Technology, and Risk Development
2
1.1.2 Common Knowledge, Standards, and Practices
4
1.1.3 Profession, Organizational Role, and Function
6
1.2Purpose
7
1.3Questions
8
1.4 Research Methodology
8
1.5 Organization of Subsequent Chapters
9
Endnotes10


2

Knowledge, Issues, and Dilemmas

15

2.1Introduction
15
2.2 Information Security
15
2.3 Principles and Approaches
18
2.3.1 Security: As Strong as the Weakest Link
19
2.3.2 Defense in Depth
19
2.3.2.1 Use of Security Technology
20
2.3.2.2 Baseline Security
22
2.3.3 No Perfect Security
25
2.3.4 Information Security Is Information Risk
Management26
2.3.4.1 Risk, Risk Assessment, and Risk
Management27
2.3.4.2 Problems of Risk-Based Approach
33
2.3.5 A Circular Problem
38

2.3.6 IT Security Governance
39
v


vi

Contents

2.4

Information Security Risk Management Strategy
41
2.4.1 Protect–Detect–React (PDR)
42
2.4.2 Detect–React–Protect (DRP)
42
2.4.3 Need for Strategic Thinking
44
2.5 Information Security Program
44
2.5.1 Organization and People
45
2.5.2 Risk Assessment and Management
46
2.5.3Policies
46
2.5.4Communication
49
2.5.5Developments

49
2.5.6 Operational Security
50
2.5.7 Performance Measurements
51
2.6 Responding to Change
55
2.7 Current Research and Social Perspectives
57
2.8Conclusion
59
Endnotes61

3

Practice, Issues, and Dilemmas
3.1

3.2

67

Information Risk Management (IRM) Practices
67
3.1.1 Organization and Management Commitments
68
3.1.1.1 Stakeholder Support for IRM Program
69
3.1.2 Culture of Compliance and Control-Oriented
Risk Management

71
3.1.3 Theory of Action and Theory in Use
72
3.1.4 Risk of Habituation
76
3.1.5 Information Risk Management Organization
77
3.1.5.1 Systems of Knowledge Power
78
3.1.6 Responding to Security Incidents
81
3.1.6.1 Incident 1: SNMP Vulnerability
81
3.1.6.2 Incident 2: SPAM Mail
82
3.1.7 Uncertainties in Information Security Risk
Analysis and Management
83
3.1.8 Causal Analysis of Information Security Systems 88
3.1.9 Summary of Issues and Dilemmas
92
Social–Technical Approach
93
3.2.1 Model A Approach
94
3.2.1.1 Addressing Theories of Actions of
IRMs and Other Managers
95
3.2.1.2 Addressing Auditors’ Theories of
Actions97

3.2.1.3 Competency and Trust
101
3.2.1.4 Five-Level Action Map (FLAM)
104


Contents

vii

3.2.1.5 Combining Social and Technical
Aspects of Information Security Risk
Management Systems
105
3.2.1.6 Communicating Information Security
Risk Status
107
3.2.1.7 Limitations of New IRM Systems
110
3.2.1.8 Learning through Model A Approach
111
3.2.2 Model B Approach
113
3.2.2.1 IRM Organization Model
113
3.2.2.2 Learning through the Model B
Approach116
3.2.2.3 Learning from SQL Slammer, Blaster,
and SARS Incidents
117

3.2.2.4 Business Continuity and Disaster
Recovery Planning
123
3.2.3 Summary of Issues and Dilemmas and Research
Outcome124
Endnotes126

4

Responsive Security

133

4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9

Piezoelectric Metaphor
133
BETA’s Approach to Emerging Risks and Attacks
137
Learning from Tsunami Incident
143
Revealing Uncertainties and Making Risks Visible

145
Responsive, Reactive, and Proactive Strategies
148
Criticality Alignment
151
Testing Responsive Approach at GAMMA
154
Learning from Antinny Worm Case Study
156
Refining Responsive Approach
160
4.9.1 Risk Forecasting
160
4.9.2 Scenario Planning and Development
163
4.9.3 Responsiveness Requirements and Action
Strategies169
4.9.3.1 Information Security Policies
169
4.9.3.2 Information Security Program
171
4.9.3.3 Readiness Assurance
171
4.10 Responsive Learning
172
Endnotes176

5

Conclusions and Implications

5.1
5.2

Summary and Results
Conclusions about Each Research Question

181
181
184


viii

Contents

5.3 Implications for Theory
188
5.4 Implications for Policy and Practice
189
5.5 Suggestions for Further Research
192
Endnotes194

Appendix A: Action Research Cycles

195

Appendix B: Dialectic Model of Systems
Inquiry (DMSI)


199

Appendix C: Framework for Information Risk
Management205
References213


List of Figures

Figure 2.1  Circular problem of information security principles.

38

Figure 3.1  Stakeholder analysis: attitudes of stakeholders toward
IRM function.

70

Figure 3.2  Stakeholder analysis: capability of stakeholders in
influencing IRM program.

70

Figure 3.3  Causal view of audit and compliance-focused risk
management practice at ALPHA at initial action research cycle
of study.

75

Figure 3.4  Common risk analysis and management approach.


84

Figure 3.5  Causal view of information security system.

89

Figure 3.6  Traditional system of business investment focusing only
on outcome of business value creation.

91

Figure 3.7  New system view on relationship of business values,
resource investments, and undesirable activities or behaviors.

91

Figure 3.8  Information risk practice with CSA.

95

Figure 3.9  Audit review to assure adequate systems practices and
behavior.96
Figure 3.10  Symptomatic responses to audit interventions.

96

Figure 3.11  “Shifting the burden” structure enforced with
symptomatic response.


97

Figure 3.12  Enforcing fundamental response by IRM program.

98

Figure 3.13  Initial five-level action map (FLAM) of information
security risk management system.

104

Figure 3.14  Information risk management system incorporating
stakeholders’ participation.

106

Figure 3.15  Progress in stakeholders’ acceptance of IRM program.

112

Figure 3.16  Lack of synergy of IRM, BCP, and DRP systems and
processes.123
ix


x

List of Figures

Figure 4.1  Mapping piezoelectric behavior to responsive behavior.


136

Figure 4.2  Element of uncertainty creates invisible plane on risk
chart.147
Figure 4.3  Sources of information for information risk forecasting.

162

Figure 4.4  Mapping risk forecasts against requirements for
criticality alignment.

164

Figure 4.5  Information risk management system model based on
responsive approach.

170

Figure 4.6  Concept of single- and double-loop learning.

173

Figure 4.7  Macro view of responsive information security risk
management systems model.

174

Figure 4.8  Incorporating responsive learning into single- and
double-loop learning.


175

Figure 5.1  Resolving circularity problem of information security
principles by introduction of piezoelectric behavior or responsive
security principles.

183

Figure A.1  Summary of action research cycles and scope of data
analysis.196
Figure A.2  Meta-methodology perspective depicting four main
research cycles encompassing six subcycles.

196

Figure B.1  Dialectic model for implementation of responsive
security approach.

200

Figure C.1  Information risk management framework.

206


List of Tables

Table 3.1  Four Windows Systemic View of Information Risk
Management Situation at ALPHA during Initial Action Research Cycle 93

Table 3.2  Four Windows Systemic View of Information Risk
Management Situation at ALPHA during Action Research Cycle on
Model B Approach

125

Table C.l  Laws, Regulations, and Policy Parameters

206

Table C.2  Management and Organization Parameters

206

Table C.3  Security Services Parameters

207

Table C.4  Methods and Processes Parameters

208

Table C.5  Techniques and Mechanisms Parameters

209

Table C.6  Guidelines and Common Practices

210


Table C.7  Technology and Solutions Parameters

210

xi



List of Abbreviations

ALE
Annual loss expectancy
ATM
Automated teller machine
BCM
Business continuity management
BIRM
Business-aligned information risk manager
BSI
British Standards Institute
CCO
Chief control officer
CCTA
Central Computer and Telecommunication Agency
CEO
Chief executive officer
CERT
Computer emergency response team
CIO
Chief information officer

CIRO
Chief information risk officer
CIRT
Computer incident response team
CISO
Chief information security officer
CISR
Center for Information Systems Security Studies and Research
CISSP
Certified Information Systems Security Professional
COO
Chief operating officer
CRA
Computer Research Association
CSA
Control self-assessment
CSO
Chief security officer
CTO
Chief technology officer
DA
Data analysis
DCRP
Disaster contingency and recovery plan
DMSI
Dialectic model of systems inquiry
DNS
Domain name system
DRPDetect–react–protect
DRP

Disaster recovery planning
ECDR
Education, competency, due diligence, due care, and reward to
behave well
ECO
Extranet Connectivity Organization
ER
Emergency response
FIPS
Federal Information Processing Standard
FIRM
Framework for information risk management
FLAM
Five-level action map
FMEA
Failure mode effects analysis
HAS
Human activities systems
xiii


xiv

List of Abbreviations

IA
Information assurance
IDS
Intrusion detection system
IRM

Information risk management (or manager)
ISAC
Information Sharing and Analysis Center
ISMS
Information security management system
ISP
Internet service provider
ISRA
Information security risk assessment
ISRM
Information security risk management (or manager)
IT
Information technology
KRI
Key risk indicator
LD
Losses and damage
LEP
Law and regulations, enforcements, and policies
LOB
Line of business (business division)
LOC
Location Operating Committee
LSASS
Local Security Authority Services Server
MAS
Monetary Authority of Singapore
MRTC
Mass Rapid Transit Corporation
ORC

Operational risk capital
ORM
Operational risk management
OSP
Outsource service provider
PDCA
Plan–do–check–act (ISO standardized management process)
PDRProtect–detect–react
PFIRES
Policies Framework for Information Security
PKI
Public key infrastructure
R&CRisks-and-controls
RA
Risk acceptance
RAISE
Regional Asia Information Security Exchange
RCA
Requirements for criticality alignment
RIRO
Regional information risk officer
ROSI
Return on security investment
RPC
Remote procedure call
SARS
Severe acute respiratory syndrome
SBU
Strategic business unit
SECD4

A collection of social science inquiry techniques, which
includes stakeholder analysis (S), entry and contracting (E),
convergent interviewing (C), dialectic data analysis (D), and
Flood’s Four Windows Systemic View (4)
SME
Subject matter expert
SNMP
Simple Network Management Protocol
SPSTC
Security and Privacy Standards Technical Committee
SQL
Structured query language
SSM
Soft systems methodology
TCC
Technology Control Council


List of Abbreviations

TCSEC
TRC
TVE
UA
UB
UDP
VPN
WS

Trusted computer system evaluation criteria (Orange Book)

Technology Risk Council
Threats, Vulnerabilities and Exploits
Undesirable activities
Undesirable behavior
User datagram packet
Virtual private network
Weak systems

xv



Preface

Managing information security risk is an important activity of business
enterprises and government organizations to address related information
security threats and vulnerabilities, ensure compliance with regulations and
best practice standards, demonstrate due diligence to shareholders and customers, and achieve business objectives with minimum cost.
While many researchers and practitioners have contributed to the development and progress of information risk management, existing approaches
have achieved only limited success and the practice remains problematic.
This is frequently observed in recurring incidents of information security
issues and needs, in particular, when businesses, operations, and/or technological environments are subjected to changes.
The nature of the challenges in managing information risk is complex.
Its complexity emerges as the domain encounters increasing numbers of
issues and dilemmas arising from often conflicting requirements, demands,
perceptions, and influences, including but not limited to people (individual
and groups), processes, and technology, fueled by the economics of business,
political desires of authorities, and cultural constraints of people in the problem environment. Existing approaches that only partially manage the complexities have not been able to address those needs satisfactorily.
To address these issues and dilemmas, information security practition­
ers must be reflective in practice, be able to learn on the go, evolve their

practice in a responsive and reliable manner, and handle changes in the risk
environment in which they operate. Similarly, an organization must be ready
and responsive. It must take a responsive or piezoelectric approach based on
its response readiness needs to address its information security risk management requirements and incorporate the changing nature of the risk environment in which it operates.
The responsive approach is based on a substantive concept for information
risk management known as the piezoelectric theory. The theory was developed
over the course of an empirical study, using action research that involved
multiple case studies, interviews of practitioners, and testing of devised methodologies in actual practice environments for more than six years.
The piezoelectric theory states that if the design of information security
practices of organization systems that enables a prompt realignment of the systems satisfies the systemic requirements for the changing risk condition of the
xvii


xviii

Preface

systems environment, the potential negative effects of the new risk condition of
the systems environment will be balanced or counteracted by the re-alignment
activities.
As a result of responsive behavior in organizational systems, the consequences of an emerging or new risk condition of the environment will likely
cause less (negative) impact to organization systems. The significance of the
impacts relates inversely to security readiness and thus the responsiveness
of the organization. Readiness is an organization’s preparedness to realign
its activities and take the appropriate actions to balance against the negative
effects of a changing risk environment in a timely and systemic manner.
Through implementation and practices, the responsive approach using
the piezoelectric theory has shown effectiveness in addressing information
security needs arising from changing risk situations that cannot be addressed
effectively by traditional compliance- and controls-oriented approaches.

This book reviews the issues and dilemmas in current knowledge and
practices, introduces the principles and methods of the responsive approach
and the notion of security readiness, demonstrates viability and practicality of the approach in today’s information security risk environment, and
encourages adoption and practice. By involving more practitioners and
researchers in the practice and discourse, I hope to also further develop and
align the approach to address the changing problems faced by practitioners.


Acknowledgments

Many friends and colleagues in the field of information security and action
research have been generous in sharing their thoughts and giving their support and encouragement through the various stages of this endeavor, in particular, Chuan-Wei Hoo, Professor Pauline Reich, Dr. Boon-Hou Tay, and
Professor Bob Dick. I am also grateful to the editorial team at CRC Press, in
particular, the guidance and assistance rendered by Ruijun He, Iris Fahrer,
and Stephanie Morkert throughout the publication process.
This book would not be possible without the unwavering support, understanding, and endurance of my beloved family. Thank you all.
Meng-Chow Kang

xix



Author

Meng-Chow Kang, PhD, has been a
practicing information security professional for more than 20 years with field
experience spanning from the technical
to managerial in various information
security and risk management roles for
the Singapore government, major multinational financial institutions, and security and technology providers.

Dr. Kang has contributed to the
development and adoption of international standards relating to information
security since 1998 and his work has
been recognized with numerous industry awards. He was the chairperson for Singapore’s Security and Privacy
Standards Technical Committee (SPSTC) from 1998 to 2007, and the first
convener for the Security Controls and Services Standards Working Group
(WG 4) at ISO/IEC JTC 1/SC 27.
In 2004, Dr. Kang cofounded the Regional Asia Information Security
Exchange (RAISE) Forum () that serves as a platform
for regional information sharing and contributes to international standards
development in ISO and ITU-T. In May 2012, he was appointed the chairperson for a new ITSC Cloud Security Working Group focusing on the development of cloud computing–related security standards.
Dr. Kang earned an MSc in information security from the Royal
Holloway and Bedford New College, University of London, and completed
his PhD program in information security risk management at the Southern
Cross University in Australia. He has been a Certified Information Systems
Security Professional (CISSP) since 1998.

xxi



1

Introduction

1.1  Background and Motivations
A common objective of information risk1 management is to ensure adequate
protection of the confidentiality, integrity, and availability of information
and information systems that are critical or essential to the success of a
business.2 Through my experience as an information security practitioner

for more than 20 years, and ongoing discourse with fellow practitioners and
researchers in this field, a common observation is that the knowledge and
practice of information risk management lag behind other management disciplines and are often inadequate for supporting the needs of practitioners in
the field.
To a large extent, rather than taking strategic approaches, practitioners’
methods have been based mostly on individual experience, trial and error,
and in some instances, adaptation of methods from other knowledge sources
and disciplines. Most practitioners have focused on policy compliance, primarily addressing known risk issues and reacting to security incidents as
they occur while recognizing the constantly changing nature of each organization’s risk environment.
My interest in improving my practice in the field drove me to undertaking a study to identify or develop a suitable approach for managing information risk in the changing environments of business organizations. The study
considers the knowledge gaps in the existing literature and the issues and
dilemmas observed in practice. My experience in this field also shaped my
thinking and analysis of the subject, steps in formulating the research problem, and developing the outcome. The study yielded an approach for managing information security risk known as the responsive approach that focuses
on the response readiness of an organization to contend with the changing
nature of its information risk environment.
This chapter introduces the thematic issues and dilemmas identified
in information risk management that fueled the need for a research study.
It contains a summary of the questions critical to the practice and a brief
description of the study and research methodology that led to the development of the responsive security approach, and closes with an outline of the
chapters that follow.

1


2

Responsive Security: Be Ready to Be Secure

1.1.1  Business, Technology, and Risk Development
My research for a new or enhanced approach to information risk management began in January 2002 at ALPHA,3 a multinational financial institution operating in more than 50 countries. I was a member of the information

risk management (IRM)4 team responsible for managing the organization’s
information risks for 11 cities5 across the Asia Pacific region.
During that period, as the aftermath of the tragic September 11, 2001
incident6 in the United States and subsequent war in Afghanistan negatively
affected the economy worldwide (Madrick 2002, Moniz 2003), many business organizations began a series of rapid changes to reduce costs in view of
a projected zero or negative growth in business revenue and reduced budgets (Yourdon 2002). ALPHA was not excluded from this development. The
economic cycle seems to have repeated itself every few years since then. In
late 2008, at the completion of my research study, economic recession again
loomed in the United States and many other countries as a result of the credit
crisis starting in 2007. At the time of this writing in 2012, the European economic crisis, declining growth in China, albeit moderate, and in many countries in the Asia region, and the slow economic recovery in the US all exhibit
a return to cycles of economic uncertainties and constant changes.
In view of the economic downturns, many organizations (including
ALPHA) accelerated their efforts to outsource and offshore7 to reduce operating expenses related to information technology (IT) and other areas of
business operations. The evolution toward an extended enterprise requires
organizations to increase their reliance on external providers for services and
operations and creates an extended trust environment that the business units
increasingly depend upon to meet their goals. Such a change was common in
the industry then (McDougall 2002a and b), and continues.
Regulators were mostly supportive and devised new policies to enable
such an approach to globalization (Matsushima 2001, Yakcop 2000, Bank of
Thailand 2003). Although these changes were planned, many organizations
were not ready to address and manage the related changes in their information security risks. Knowledge and practices supporting the management
of information risks focused on devising internal controls within a single
organizational setting, relying mostly on contractual and service level agreements to manage external risk that could not be controlled adequately by
internal policies.
In 2012, the concept of an extended enterprise was taken to a new level with
the proliferation of cloud computing, virtualization technology, and mobility
technology as new tools for chief information officers (CIOs) to enable them to
keep operating costs down and improve efficiency. Businesses small and large
are moving their infrastructures, operating platform systems, applications,

and/or data to cloud data centers that may be provided by third parties (cloud